Node access control in Docker EE Advanced

Estimated reading time:
1 minute

The ability to segment scheduling and visibility by node is called
node access control and is a feature of Docker EE Advanced. By default,
all nodes that aren’t infrastructure nodes (UCP & DTR nodes) belong to a
built-in collection called /Shared. By default, all application workloads
in the cluster will get scheduled on nodes in the /Shared collection. This
includes users that are deploying in their private collections
(/Shared/Private/) and in any other collections under /Shared. This is
enabled by a built-in grant that grants every UCP user the scheduler
capability against the /Shared collection.

Node Access Control works by placing nodes in to custom collections outside of
/Shared. If the scheduler capability is granted via a role to a user or
group of users against a collection then they will be able to schedule
containers and services on these nodes. In the following example, users with
scheduler capability against /collection1 will be able to schedule
applications on those nodes.

Note that in the directory these collections lie outside of the /Shared
collection so users without grants will not have access to these collections
unless explicitly granted access. These users will only be able to deploy
applications on the built-in /Shared collection nodes.